Hackers Can Tap Into Vonage Lines, Says Security Firm

A security firm disclosed Wednesday that a security hole in Vonage's VoIP system could allow an attacker to reroute and effectively hijack phone calls.

"This leaves the Vonage customer subject to spam, social engineering vulnerabilities, and scams," reads a security advisory issued yesterday by Sipera Systems, a relatively unknown VoIP security firm out of Richardson, Texas. The company said it had alerted Vonage to the problem over a month ago, however it never received a response.

While not necessarily a large security threat, the issue still shows that the beleaguered VoIP providers security measures may not be going far enough to ensure that calls made through the service are indeed making it to their intended recipient.

Sipera says it also found problems in services offered by Globe7 and Grandstream, although the Vonage issue affects the most people. Through that, the Vonage Phone Adapter VT 2142-VD is specifically said to have the issue.

Along with the VoIP hijacking issue, an attacker could also send multiple SIP INVITE messages, which would cause an internet version of "ringing the phone off the hook," Sipera said.

"These vulnerabilities create serious privacy and service availability issues for users," Sipera founder and CTO Krishna Kurapati said in a statement. ""Vonage, Globe7 and Grandstream customers can no longer assume that their VoIP providers are automatically securing their services."

With European VoIP provider Globe7, Sipera found holes in its online account access, and Grandstream's HandyTone-488 PSTN-to-VoIP adapter was found to be vulnerable to buffer overflows and fragmented packet attacks.